Saturday, April 21, 2012

EXE null EntryPoint execution

Hi folks, today while I was surfing on my personal feeds I hit this interesting picture ( the original from Twitter is here). I am not going into the details since the picture is quite self explaining (plus I am traveling and not much time, unfortunately )

The first binary is a DLL with a null EntryPoint, basically it won't load. The second binary is a a PE executable with null EntryPoint too. The third and last executable is a "good" PE executable, in the sense that it gots a valid EntryPoint . In the black shell the author shows the execution of the two PE files. Both of them run ( both of them end in the execution of the null reference DLL). The actual PE with null EntryPoint got its %EP executed. Quite interesting isn't it?